Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
CERTIFICATE PRACTICES
FOR
PDO NDS SUBSCRIBERS
Version 2.0
(IDRBTCA/DOC/NDS/2.0)
© COPYRIGHT 2002-2004, IDRBT
IDRBT CA,
IDRBT,
Castle Hills, Road No. 1
Masab Tank, Hyderabad,
Andhra Pradesh – 500057, India
Ph: 040 23534981/23534982
Fax: 040 23535157/23536365
Email: [email protected]
INDEX
11.. IInnttrroodduuccttiioonn .......................................................................................................................................................................................................................... 22
22.. SSccooppee .................................................................................................................................................................................................................................................. 22
33.. PPrroocceedduurreess ffoorr oobbttaaiinniinngg DDiiggiittaall CCeerrttiiffiiccaattee ffoorr PPDDOO NNDDSS AApppplliiccaattiioonn .... 22
3.1. New applicant* of PDO NDS Application .................................................... 3 3.2. Existing Subscriber of PDO-NDS Application ............................................ 4
44.. CCoosstt ooff DDiiggiittaall CCeerrttiiffiiccaattee ........................................................................................................................................................................ 44
55.. DDiissttrriibbuuttiioonn ooff DDiiggiittaall CCeerrttiiffiiccaattee.............................................................................................................................................. 55
66.. RReevvooccaattiioonn ooff DDiiggiittaall CCeerrttiiffiiccaattee ................................................................................................................................................ 55
AAppppeennddiixx --11 .......................................................................................................................................................................................................................................... 77
AAppppeennddiixx -- 22 ........................................................................................................................................................................................................................................ 88
AAppppeennddiixx ––33 .................................................................................................................................................................................................................................... 1100
SStteeppwwiissee pprroocceedduurreess ffoorr rreeqquueessttiinngg aa ddiiggiittaall cceerrttiiffiiccaattee:: .............................................................. 1111
© IDRBT CA, 2002-2004 1
11.. IINNTTRROODDUUCCTTIIOONN
RBI has commenced an integrated project on Negotiated Dealing System, which
will provide electronic dealing platform for trading in government securities and
money market instruments and computerization of its Public Debt Offices for
complete automation of the operations (called the PDO-NDS Project). The
Project will facilitate electronic bidding in auctions and transparency of trades in
secondary market transactions in Government securities on a real time basis.
22.. SSCCOOPPEE
IDRBT Certifying Authority (IDRBT CA), the licensed Certifying Authority
under Controller of Certifying Authorities, Govt. of India will issue digital
certificates for Banks and Financial Institutions for PDO NDS application. The
certificates are issued for certain period of validity. On reaching the validity
IDRBT CA notifies the subscribers regarding the expiry of the same. Subscribers
should make new certificate request upon the expiry of the existing certificate.
33.. PPRROOCCEEDDUURREESS FFOORR OOBBTTAAIINNIINNGG DDIIGGIITTAALL CCEERRTTIIFFIICCAATTEE FFOORR
PPDDOO NNDDSS AAPPPPLLIICCAATTIIOONN
• The digital certificate will be issued to the server, which hosts the PDO
NDS application.
• For obtaining the digital certificate the bank/financial
institution/organization must authorize an official in charge of the PDO
NDS Server.
© IDRBT CA, 2002-2004 2
• The authorized persons will apply for Class 3 digital certificates along
with the documents mentioned in sections 3.1 and 3.2 given below.
33..11.. NNeeww aapppplliiccaanntt** ooff PPDDOO NNDDSS AApppplliiccaattiioonn
Present himself before the RA Office with duly filled application form (given in
Appendix-1) accompanied with the relevant document mentioned below.
Original copies of any one of the documents (Photocopies also must be
furnished.)
Passport
Voter’s ID
PAN Card
Driving License
Any other photo identity document issued by government
One Passport size photograph pasted on application form
Three floppies to copy the certificate/key
Three envelopes to store the password of key
The procedures for creating request and applying online are described in
detail in Appendix-3.
* New applicant means an authorized official who is applying for new
certificate,
or
© IDRBT CA, 2002-2004 3
an authorized official who is newly appointed in place of earlier official
who was in-charge.
33..22.. EExxiissttiinngg SSuubbssccrriibbeerr ooff PPDDOO--NNDDSS AApppplliiccaattiioonn
An authorized official already holding the responsibility of the PDO NDS
application in his organization and is assigned the UserId by RA office has to
apply a fresh certificate request along with the duly filled application form as per
Appendix-1. Personal presence in front of RA is not required in this case. The
procedures for creating request and applying online are described in detail in
Appendix-3.
44.. CCOOSSTT OOFF DDIIGGIITTAALL CCEERRTTIIFFIICCAATTEE
The validity of the digital certificate will be for two years.
The cost of Class 3 PDO NDS Certificate is as given below:
a. For those who have selected IDRBT RA Office (for Banks/FIs/Govt. Agencies)
as RA: Rs. 21,000/- for two years (Rs. 20,000/- for certificate fees + Rs. 1,000/-
for administrative charges).
b. For those who requests through their own RA Office: Rs. 20,000/- for two
years
The certificate fee details are published in IDRBT CA’s website
http://idrbtca.org.in/ . Any changes in the certificate fees will be notified in the
website.
The cost must be borne by the Subscriber. The amount must be paid by means of
Demand Draft taken in favour of IDRBT payable at Hyderabad.
© IDRBT CA, 2002-2004 4
55.. DDIISSTTRRIIBBUUTTIIOONN OOFF DDIIGGIITTAALL CCEERRTTIIFFIICCAATTEE
The digital certificate issued for PDO NDS subscribers will be taken on media
(on floppy) after the verification by RA Office and issuance by IDRBT CA. The
copies of the certificate and the private key file will be made in floppies for
further use.
66.. RREEVVOOCCAATTIIOONN OOFF DDIIGGIITTAALL CCEERRTTIIFFIICCAATTEE
A certificate shall be revoked when the information in the certificate is known to
be, or suspected be, inaccurate or when the private key associated with the
certificate is compromised or suspected to be compromised. This includes
situations where:
• The subscriber loses relevant privileges;
• The information provided by the end entity is inaccurate, e.g. when the
owner of an identity certificate change their name
• The subscriber changes his organization
• An end entity makes the request for the revocation
• Any other reason that may be reasonably expected to affect the integrity,
security, or trustworthiness of IDRBT CA Digital Certificate
• The Subscriber has breached or failed to meet their obligations under this CPS
or any other agreement, regulation or law which may be in force
• Any other circumstances which shall be determined by rules and regulations
to governing law
© IDRBT CA, 2002-2004 5
A revocation request can be made by the holder of the certificate to be revoked to
the IDRBT CA. The revocation request must be in written format as per
Appendix - 2 and should be propagated to IDBRT CA either by fax, courier or
post.
NB: If the revocation of the certificate is initiated due to the negligence or any
fault from the user, the certificate fees will be levied for the new certificate
application.
© IDRBT CA, 2002-2004 6
AAPPPPEENNDDIIXX --11
APPLICATION FORM FOR ISSUE OF DIGITAL CERTIFICATE * Fields are mandatory #Strike off which are not applicable New user /Existing user
Certificate Applied*: Class 3 Certificate required*: Individual/ Server Type of Certificate * : Signing Certificate Validity: 2yrs
Personal Details: Name*: Email Address*: Office Address*: (with Designation and Department)
Pincode*: Telephone*: Identification Details* (Passport No/PAN Card No/Voter’s ID Card No/Driving License No/PF No/Employee ID): Details of Server * (name of the server): Important Notice: • This application form is to be filled by the applicant. • All subscribers are advised to read IDRBT CA Certificate Practice Statement (download from http://idrbtca.org.in/) • All documents specified in CPS for each Certificate Class must be accompanied with this application form. • Application form must be submitted in person to the Registration Authority for face-to-face recognition in the case of Class 3 Certificate. • Incomplete/Inconsistent application is liable to be rejected. Declaration and Undertaking by the Applicant All the above information provided by me is true to the best of my knowledge and belief. I am submitting this application as an authorized person for and on behalf of the organisaton/government department for carrying out only authorized transactions by using the Digital Certificate in the discharge of my official duties. I accept the responsibility for the safety and integrity of the private key by controlling the access to the computer/device containing the same, so that it is not compromised and I will immediately notify my Superior Officer/RA/ IDRBT CA in event of key compromise. I agree to publish the Digital Certificate in the IDRBT CA repository and will report my Registration Authority of any error or defect in the certificate and change in the above information. Date: Place: Name of the Applicant: (Signature of the applicant) For Superior Authority of Applicant* This is to certify that Mr/Ms.…………………………………………………………………………………………………………......... has provided correct information in the “Application Form for Issue of Digital Certificate” to the best of my knowledge and belief. I hereby authorize him/her, on behalf of my organization, to apply for obtaining Digital Certificate from IDRBT CA for the purpose specified above. Date: Place: Name of Officer: Official Email: (Signature of Officer with stamp of Org./office)
For RA Purpose only
Checklist Date & Time with Initials
Received the application form for digital certificate?
Verified the photocopies of the identification document(Passport/Voter’s ID/PAN Card/Domain registration)?
Face-to-Face verification? (in case of Class 3 Certificate)
© IDRBT CA, 2002-2004 7
AAPPPPEENNDDIIXX -- 22
Certificate Revocation/Suspension Form
Certificate Revocation Certificate Suspension
(Tick Applicable) Certificate Revocation/Suspension Request Date:
To: Instructions:
1. Fill in the Certificate Revocation Request Form and submit to the IDRBT CA authorized Registration Authority in person or fax or post.
2. Request from authorized third party must be accompanied with an authorized letter from the certificate owner and the third party’s identification document like Passport/Voter’s Identity Card/Income Tax PAN Card.
3. The soft copy of Digital Certificate must be sent as an email to the IDRBT CA mentioning “Certificate Revocation/Suspension Request” as the subject or in a floppy disk accompanying the form if it is by post.
Certificate Details Certificate Serial Number: Category of Certificate: Signing Encryption Server Object Signing (Tick applicable) Public Key of Holder: (Attach soft copy of Digital Certificate) Certificate Owner Details Name of Holder:
© IDRBT CA, 2002-2004 8
Email Address: Reason for Revocation User Compromise Key Compromise Details: Authorization Authorised by: Certificate Owner Third Party (Documentation verifying authorisation must be sighted) Name: Signature: Contact No: Email: For Registration Authority Use Only
ITEM Completed Date Initials Request form (person/fax/post) Yes/No Digital Certificate soft copy(email/floppy)
Yes/No
Identification document of the third party if any?
Yes/No
Date Received: Subscriber notified by:
Person Fax Post
Revoked/Susepended by IDRBT CA Date: Initials:
© IDRBT CA, 2002-2004 9
AAPPPPEENNDDIIXX ––33
User Manual for Digital Certificates for PDO NDS
IDRBT CA’s i-trust PKI Services is available on INFINET and Internet.
Visit IDRBT CA’s official website on INFINET at http://idrbtca.org.in/. This website
contains the information about the IDRBT CA Certification Practice Statement,
the classes of digital certificates offered by IDRBT CA, general information about
PKI, Registration Authorities, Information Technology Act, Subscriber
Agreement, Privacy Statement, Frequently Asked Questions, IDRBT CA support
Desk, etc.
Contacting IDRBT CA Technical Support:
i-trust PKI Customer Services team is committed to supporting the users. If you
have any questions, need additional assistance, or encounter a problem, please
contact the following:
IDRBT CA i-trust PKI Services Support Team INFINET http://idrbtca.org.in/ , http://infinet.org.in/ INTERNET http://www.idrbt.com/ E-mail [email protected] Telephone +91-40-23536297 or 23534981/82 Extn- 5216/5217 Fax +91-40-23536371
© IDRBT CA, 2002-2004 10
SSTTEEPPWWIISSEE PPRROOCCEEDDUURREESS FFOORR RREEQQUUEESSTTIINNGG AA DDIIGGIITTAALL
CCEERRTTIIFFIICCAATTEE::
1. Procedure to generate the Certificate Request
• The applicant will generate a certificate request using RequestGen
software. The sample of details to be filled is shown in fig 1.
Fig 1. Details to be filled in RequestGen software.
The details to be filled are as follows:
• Name (the name of bank/financial institution)
• Email (email address of the bank/FI department)
© IDRBT CA, 2002-2004 11
• Organisation (name of the bank/FI)
• Organisation Unit (name of the department/unit)
• Locality (City name where the server is hosted)
• State
• Country code (IN for India)
• Key Size (select 1024)
• Passphrase (give a password not more than 12 characters. This
password will be copied in triplicate and to be kept in safe
custody.)
• Confirm Passphrase
• Period of validity (Two years)
• For Signing Certificate (select this option)
• Save request as (the file name convention should include name of
bank and the date of creation, for e.g. nameofbank18032003.req)
• Save Private Key as (the file name convention should include name
of bank and the date of creation, for e.g. nameofbank18032003.pem)
The applicant will then apply for Class 3 Signing Certificate through IDRBT CA
Certification Services choosing the RA Office and will paste the request
generated using RequestGen software in the corresponding field as mentioned in
the below mentioned procedures.
2. Online request
After generation of PKCS#10 request (.req) through RequestGen application, the
applicant has to login to the IDRBT site through https://10.0.65.60/ (on INFINET)
or https://services.idrbtca.org.in/ (on Internet).
Fig 2 shows the home page of IDRBT CA Service
© IDRBT CA, 2002-2004 12
Fig-2
Click on “Enter Subscriber Website”, which will direct you to the main page of
Subscriber’s site and select “Get a Digital Certificate” link. Click “Login” button
to enter into the page where you can select the Registration Authority (RA) from
the list of RAs as shown in Fig 3.
© IDRBT CA, 2002-2004 13
Fig-3 Select the RA office from which you have obtained the User ID and Password
and click “Submit” button. This will guide you to the login page where you are
prompted to enter the UserID and Password as shown in Fig 4.
© IDRBT CA, 2002-2004 14
Fig-4 Enter the User ID and Password given to you and click “Login” button. If you
had already applied for a certificate, the details will be displayed as given in Fig
5.
Fig-5
© IDRBT CA, 2002-2004 15
Click on submit button to proceed further to the next page as given in Fig 6.
Fig-6 Select Certificate type as “Signing Certificate” and Certificate class as “Class 3”.
Fill the details of your PDO NDS server.
Note: You have already generated PKCS#10 Certificate request (.req file) for
your PDO NDS server using RequestGen software. Check the ‘Yes’ radio button
as in Fig 7 given below and click “Next” to proceed.
© IDRBT CA, 2002-2004 16
Fig-7 You can view all the details, which you have filled as shown in the Fig 8.
Fig-8
© IDRBT CA, 2002-2004 17
Click “Next” button to proceed further and will take you the page where you can
paste the PKCS#10 certificate request as shown in Fig 9.
Fig-9 Copy the entire content of your .req file starting from -----BEGIN CERTIFICATE
REQUEST----- to -----END CERTIFICATE REQUEST-----, and paste it in the space
provided. Click on “Submit PKCS#10 Request” button. If the request is in correct
format, it will give you a request number as given in Fig 10. You can note down
this request number for further course of action.
© IDRBT CA, 2002-2004 18
Fig-10.
IDBRT CA will issue the certificate for your certificate request.
© IDRBT CA, 2002-2004 19
3. Downloading Certificate
After the certificate is generated you can download the same. You can check the
status of the request by querying your certificate request status by clicking the
“Certificate Management” link in the homepage of IDRBT CA’s website
(https://10.0.65.65/ on INFINET or https://services.idrbtca.org.in/ on Internet).
You should login to the site by selecting the RA Office and click “View Status”
on the top menu and enter your request number. The status of your request will
be displayed as given in Fig 11.
Fig-11
If the status of the certificate request is “Certificate Generated”, click on the
highlighted link corresponding to your request number to proceed for
download. On clicking the link, it will prompt you to agree with terms and
condition of IDRBT CA. Proceed further by clicking the “I Agree” button. This
© IDRBT CA, 2002-2004 20
will guide you to the page where you can download the certificate after viewing
the details as shown in Fig 12.
Fig-12
Select the second option to download the certificate as a file. You can save the file
by clicking “Download” button, as given in Fig 13.
© IDRBT CA, 2002-2004 21
Fig-13
Assign the name to the file and save it to disk as “Security Certificate” type. This
file will be saved with .cer extension by default.
Keep this file in the specified location on your PDO NDS server along with your
private key file (.pem) generated earlier using the RequestGen tool. Contact NDS
Helpdesk for further course of action to implement certificates in PDO NDS
application.
For more details contact:
Ph: 040-23536297 (Direct)
Ph: 040-23534981 Extn- 5217/5216
© IDRBT CA, 2002-2004 22